Description of problem:
OpenStack commands to undercloud fail after CA certificate renewed
Version-Release number of selected component (if applicable):
RHOSP 17.1
How reproducible:
Always
Steps to Reproduce:
1. Turn the clock ahead by more than 1 year so that certmonger renews CA certificate and server certificate.
[root@undercloud ~]# systemctl stop chronyd
[root@undercloud ~]# date -s "05/30 13:00 2025"
Fri May 30 13:00:00 JST 2025
[root@undercloud ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20240228041555':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/haproxy-external-cert.key'
certificate: type=FILE,location='/etc/pki/tls/certs/haproxy-external-cert.crt'
CA: local
issuer: CN=01c6e59b-c6d74ee1-b8ac3ed9-719fcc29,CN=Local Signing Authority
subject: CN=192.168.24.2
issued: 2025-05-30 13:00:13 JST
expires: 2026-05-30 13:00:13 JST
dns: 192.168.24.2
principal name: haproxy/192.168.24.2@UNDERCLOUD
key usage: digitalSignature,keyEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /etc/certmonger/post-scripts/haproxy-external-cert-6dc0da8.sh
track: yes
auto-renew: yes
[root@undercloud ~]# exit
logout
[stack@undercloud ~]$
2. OpenStack commands to undercloud fail with SSL verification error
[stack@undercloud ~]$ source stackrc
(undercloud) [stack@undercloud ~]$ openstack endpoint list
Failed to discover available identity versions when contacting https://192.168.24.2:13000. Attempting to parse version from URL.
Could not find versioned identity endpoints when attempting to authenticate. Please check that your auth_url is correct. SSL exception connecting to https://192.168.24.2:13000: HTTPSConnectionPool(host='192.168.24.2', port=13000): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
3. /etc/pki/ca-trust/source/anchors/cm-local-ca.pem file is not updated by /var/lib/certmonger/local/creds
[root@undercloud ~]# diff <(openssl x509 -text -in /etc/pki/ca-trust/source/anchors/cm-local-ca.pem) <(openssl x509 -text -in /var/lib/certmonger/local/creds) -y
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
01:c6:e5:9b:c6:d7:4e:e1:b8:ac:3e:d9:71:9f:cc:29 | 01:c6:e5:9b:c6:d7:4e:e1:b8:ac:3e:d9:71:9f:cc:2b
Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Local Signing Authority, CN = 01c6e59b-c Issuer: CN = Local Signing Authority, CN = 01c6e59b-c
Validity Validity
Not Before: Feb 28 04:15:50 2024 GMT | Not Before: May 30 04:00:13 2025 GMT
Not After : Feb 28 04:15:50 2025 GMT | Not After : May 30 04:00:13 2026 GMT
Subject: CN = Local Signing Authority, CN = 01c6e59b- Subject: CN = Local Signing Authority, CN = 01c6e59b-
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit) Public-Key: (2048 bit)
Modulus: Modulus:
00:eb:bc:bb:dc:61:28:9c:38:b0:e6:80:d1:d4 | 00:cd:0b:40:ca:90:f6:da:14:50:a7:b4:a8:cd
27:b9:db:41:c3:4f:b7:45:bd:28:19:dd:aa:ae | 89:71:2c:18:a8:42:cf:98:30:63:39:bc:19:2e
fa:5f:13:6b:a5:13:05:00:1c:d9:7d:5c:af:02 | 36:ff:fe:d1:33:7a:62:f2:12:d3:f5:70:4b:c4
Actual results:
OpenStack commands fail
Expected results:
OpenStack commands should succeed.
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: RHOSP 17.1.4 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:9978